<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Audit event types | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'audit-event-types.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/audit-event-types.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/audit-event-types.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/audit-event-types.html" rel="nofollow" target="_blank">../en/audit-event-types.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="enable-audit-logging.html">Enabling audit logging</a></span>
»
<span class="breadcrumb-node">Audit event types</span>
</div>
<div class="navheader">
<span class="prev">
<a href="enable-audit-logging.html">« Enabling audit logging</a>
</span>
<span class="next">
<a href="audit-log-output.html">Logfile audit output »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="audit-event-types"></a>Audit event types<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>When you are <a class="xref" href="enable-audit-logging.html" title="Enabling audit logging">auditing security events</a>, each request can generate
multiple audit events.</p>
<p>The following is a list of the events that can be generated:</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1">
<col class="col_2">
<col class="col_3">
<col class="col_4">
</colgroup>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">anonymous_access_denied</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when a request is denied due to a missing
                                          authentication token.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">authentication_success</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when a user successfully authenticates.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">authentication_failed</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when the authentication token cannot be
                                          matched to a known user.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm_authentication_failed</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged for every realm that fails to present a valid
                                          authentication token. <code class="literal">&lt;realm&gt;</code> represents the
                                          realm type.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">access_denied</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when an authenticated user attempts to execute
                                          an action they do not have the necessary
                                          <a class="xref" href="security-privileges.html" title="Security privileges">privilege</a> to perform.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">access_granted</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when an authenticated user attempts to execute
                                          an action they have the necessary privilege to perform.
                                          When the <code class="literal">system_access_granted</code> event is included, all system
                                          (internal) actions are also logged. The default setting does
                                          not log system actions to avoid cluttering the logs.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_as_granted</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when an authenticated user attempts to <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as</a>
                                          another user that they have the necessary privileges to do.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_as_denied</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when an authenticated user attempts to <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as</a>
                                          another user action they do not have the necessary
                                          <a class="xref" href="security-privileges.html" title="Security privileges">privilege</a> to do so.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">tampered_request</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when the security features detect that the request has
                                          been tampered with. Typically relates to <code class="literal">search/scroll</code>
                                          requests when the scroll ID is believed to have been
                                          tampered with.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">connection_granted</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when an incoming TCP connection passes the
                                          <a class="xref" href="ip-filtering.html" title="Restricting connections with IP filtering">IP Filter</a> for a specific
                                          profile.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">connection_denied</code></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p></p></td>
<td align="left" valign="top"><p>Logged when an incoming TCP connection does not pass the
                                          <a class="xref" href="ip-filtering.html" title="Restricting connections with IP filtering">IP Filter</a> for a specific
                                          profile.</p></td>
</tr>
</tbody>
</table>
</div>
<h3>
<a id="audit-event-attributes"></a>Audit event attributes<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a>
</h3>
<p>In 6.5.0, there is a new <a class="xref" href="audit-log-output.html" title="Logfile audit output"><code class="literal">logfile</code> audit output</a> format.
This format also brings in a few changes for audit event attributes.</p>
<p>The new format is output to the <code class="literal">&lt;clustername&gt;_audit.json</code> file.
The audit entries are formatted as flat JSON documents (that is to say, no
nested objects), one per line. Hence, the attribute names are JSON keys and they
follow a dotted name syntax. Any attributes that lack a value (<code class="literal">null</code>) are not
output.</p>
<p>The following list shows attributes that are common to all audit events.
Their names and values are analogous to those in the deprecated <code class="literal">logfile</code> or
<code class="literal">index</code> output formats. However, it is expected that the formats will evolve
independently during the 6.x releases, so it is advisable to follow the attribute
descriptions for the format that you are using.</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">@timestamp</code>
</span>
</dt>
<dd>
The time, in ISO9601 format, when the event occurred.
</dd>
<dt>
<span class="term">
<code class="literal">node.name</code>
</span>
</dt>
<dd>
The name of the node. This can be changed
in the <code class="literal">elasticsearch.yml</code> config file.
</dd>
<dt>
<span class="term">
<code class="literal">node.id</code>
</span>
</dt>
<dd>
The node id. This is automatically generated and is
persistent across full cluster restarts.
</dd>
<dt>
<span class="term">
<code class="literal">host.ip</code>
</span>
</dt>
<dd>
The bound IP address of the node, with which the node
can be communicated with.
</dd>
<dt>
<span class="term">
<code class="literal">host.name</code>
</span>
</dt>
<dd>
The unresolved node’s hostname.
</dd>
<dt>
<span class="term">
<code class="literal">origin.address</code>
</span>
</dt>
<dd>
The source IP address of the request associated with
this event. This could be the address of the remote client,
the address of another cluster node, or the local node’s
bound address, if the request originated locally. Unless
the remote client connects directly to the cluster, the
<em>client  address</em> will actually be the address of the first
OSI layer 3 proxy in front of the cluster.
</dd>
<dt>
<span class="term">
<code class="literal">origin.type</code>
</span>
</dt>
<dd>
The origin type of the request associated with this event:
<code class="literal">rest</code> (request originated from a REST API request),
<code class="literal">transport</code> (request was received on the transport channel),
or <code class="literal">local_node</code> (the local node issued the request).
</dd>
<dt>
<span class="term">
<code class="literal">event.type</code>
</span>
</dt>
<dd>
The internal processing layer that generated the event:
<code class="literal">rest</code>, <code class="literal">transport</code> or <code class="literal">ip_filter</code>.
This is different from <code class="literal">origin.type</code> because a request
originating from the REST API is translated to a number
of transport messages, generating audit events with
<code class="literal">origin.type: rest</code> and <code class="literal">event.type: transport</code>.
</dd>
<dt>
<span class="term">
<code class="literal">event.action</code>
</span>
</dt>
<dd>
The type of event that occurred: <code class="literal">anonymous_access_denied</code>,
<code class="literal">authentication_failed</code>, <code class="literal">authentication_success</code>,
<code class="literal">realm_authentication_failed</code>, <code class="literal">access_denied</code>, <code class="literal">access_granted</code>,
<code class="literal">connection_denied</code>, <code class="literal">connection_granted</code>, <code class="literal">tampered_request</code>,
<code class="literal">run_as_denied</code>, or <code class="literal">run_as_granted</code>.
</dd>
<dt>
<span class="term">
<code class="literal">opaque_id</code>
</span>
</dt>
<dd>
The value of the <code class="literal">X-Opaque-Id</code> HTTP header (if present) of
the request associated with this event. This header can
be used freely by the client to mark API calls, as it has
no semantics in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">x_forwarded_for</code>
</span>
</dt>
<dd>
The verbatim value of the <code class="literal">X-Forwarded-For</code> HTTP request
header (if present) of the request associated with the
audit event. This header is commonly added by proxies
when they forward requests and the value is the address
of the proxied client. When a request crosses multiple
proxies the header is a comma delimited list with the
last value being the address of the second to last
proxy server (the address of the last proxy server is
designated by the <code class="literal">origin.address</code> field).
</dd>
</dl>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_audit_event_attributes_of_the_rest_event_type"></a>Audit event attributes of the REST event type<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The events with <code class="literal">event.type</code> equal to <code class="literal">rest</code> have one of the following <code class="literal">event.action</code>
attribute values: <code class="literal">authentication_success</code>, <code class="literal">anonymous_access_denied</code>, <code class="literal">authentication_failed</code>,
<code class="literal">realm_authentication_failed</code>, <code class="literal">tampered_request</code> or <code class="literal">run_as_denied</code>.
These event types also have the following extra attributes (in addition to the
common ones):</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">url.path</code>
</span>
</dt>
<dd>
The path part of the URL (between the port and the query
string) of the REST request associated with this event.
This is URL encoded.
</dd>
<dt>
<span class="term">
<code class="literal">url.query</code>
</span>
</dt>
<dd>
The query part of the URL (after "?", if present) of the
REST request associated with this event. This is URL encoded.
</dd>
<dt>
<span class="term">
<code class="literal">request.method</code>
</span>
</dt>
<dd>
The HTTP method of the REST request associated with this
event. It is one of GET, POST, PUT, DELETE, OPTIONS,
HEAD, PATCH, TRACE and CONNECT.
</dd>
<dt>
<span class="term">
<code class="literal">request.body</code>
</span>
</dt>
<dd>
The full content of the REST request associated with this
event, if enabled. This contains the query body. The body
is escaped according to the JSON RFC 4627.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_audit_event_attributes_of_the_transport_event_type"></a>Audit event attributes of the transport event type<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The events with <code class="literal">event.type</code> equal to <code class="literal">transport</code> have one of the following <code class="literal">event.action</code>
attribute values: <code class="literal">authentication_success</code>, <code class="literal">anonymous_access_denied</code>, <code class="literal">authentication_failed</code>,
<code class="literal">realm_authentication_failed</code>, <code class="literal">access_granted</code>, <code class="literal">access_denied</code>, <code class="literal">run_as_granted</code>,
<code class="literal">run_as_denied</code>, or <code class="literal">tampered_request</code>.
These event types also have the following extra attributes (in addition to the common
ones):</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">action</code>
</span>
</dt>
<dd>
The name of the transport action that was executed.
This is like the URL for a REST request.
</dd>
<dt>
<span class="term">
<code class="literal">indices</code>
</span>
</dt>
<dd>
The indices names array that the request associated
with this event pertains to (when applicable).
</dd>
<dt>
<span class="term">
<code class="literal">request.name</code>
</span>
</dt>
<dd>
The name of the request handler that was executed.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_audit_event_attributes_of_the_ip_filter_event_type"></a>Audit event attributes of the ip_filter event type<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The events with <code class="literal">event.type</code> equal to <code class="literal">ip_filter</code> have one of the following <code class="literal">event.action</code>
attribute values: <code class="literal">connection_granted</code> or <code class="literal">connection_denied</code>.
These event types also have the following extra attributes (in addition to the common
ones):</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">transport_profile</code>
</span>
</dt>
<dd>
The transport profile the request targeted.
</dd>
<dt>
<span class="term">
<code class="literal">rule</code>
</span>
</dt>
<dd>
The <a class="xref" href="ip-filtering.html" title="Restricting connections with IP filtering">IP filtering</a> rule that denied
the request.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_extra_audit_event_attributes_for_specific_events"></a>Extra audit event attributes for specific events<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a>
</h3>
</div></div></div>
<p>There are a few events that have some more attributes in addition to those
that have been previously described:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p><code class="literal">authentication_success</code>:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">realm</code>
</span>
</dt>
<dd>
The name of the realm that successfully
authenticated the user.
</dd>
<dt>
<span class="term">
<code class="literal">user.name</code>
</span>
</dt>
<dd>
The name of the <em>effective</em> user. This is usually the
same as the <em>authenticated</em> user, but if using the
<a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>
this instead denotes the name of the  <em>impersonated</em> user.
</dd>
<dt>
<span class="term">
<code class="literal">user.run_by.name</code>
</span>
</dt>
<dd>
This attribute is present only if the request is
using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>
and denotes the name of the  <em>authenticated</em> user,
which is also known as the <em>impersonator</em>.
</dd>
</dl>
</div>
</li>
<li class="listitem">
<p><code class="literal">authentication_failed</code>:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">user.name</code>
</span>
</dt>
<dd>
The name of the user that failed authentication.
If the request authentication token is invalid or
unparsable, this information might be missing.
</dd>
</dl>
</div>
</li>
<li class="listitem">
<p><code class="literal">realm_authentication_failed</code>:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">user.name</code>
</span>
</dt>
<dd>
The name of the user that failed authentication.
</dd>
<dt>
<span class="term">
<code class="literal">realm</code>
</span>
</dt>
<dd>
The name of the realm that rejected this authentication.
<span class="strong strong"><strong>This event is generated for each consulted realm
in the chain.</strong></span>
</dd>
</dl>
</div>
</li>
<li class="listitem">
<p><code class="literal">run_as_denied</code> and <code class="literal">run_as_granted</code>:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">user.roles</code>
</span>
</dt>
<dd>
The role names of the user as an array.
</dd>
<dt>
<span class="term">
<code class="literal">user.name</code>
</span>
</dt>
<dd>
The name of the <em>authenticated</em> user which is being
granted or denied the <em>impersonation</em> action.
</dd>
<dt>
<span class="term">
<code class="literal">user.realm</code>
</span>
</dt>
<dd>
The realm name that the <em>authenticated</em> user belongs to.
</dd>
<dt>
<span class="term">
<code class="literal">user.run_as.name</code>
</span>
</dt>
<dd>
The name of the user as which the <em>impersonation</em>
action is granted or denied.
</dd>
<dt>
<span class="term">
<code class="literal">user.run_as.realm</code>
</span>
</dt>
<dd>
The realm name of that the <em>impersonated</em> user belongs to.
</dd>
</dl>
</div>
</li>
<li class="listitem">
<p><code class="literal">access_granted</code> or <code class="literal">access_denied</code>:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">user.roles</code>
</span>
</dt>
<dd>
The role names of the user as an array.
</dd>
<dt>
<span class="term">
<code class="literal">user.name</code>
</span>
</dt>
<dd>
The name of the <em>effective</em> user that is being
authorized or unauthorized. This is usually the <em>authenticated</em>
user, but if using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>
this instead denotes the name of the  <em>impersonated</em> user.
</dd>
<dt>
<span class="term">
<code class="literal">user.realm</code>
</span>
</dt>
<dd>
The realm name that the <em>effective</em> user belongs to.
</dd>
<dt>
<span class="term">
<code class="literal">user.run_by.name</code>
</span>
</dt>
<dd>
This attribute is present only if the request is
using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>
and denoted the name of the <em>authenticated</em> user,
which is also known as the <em>impersonator</em>.
</dd>
<dt>
<span class="term">
<code class="literal">user.run_by.realm</code>
</span>
</dt>
<dd>
This attribute is present only if the request is
using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>
and denotes the name of the realm that the <em>authenticated</em>
(<em>impersonator</em>) user belongs to.
</dd>
</dl>
</div>
</li>
</ul>
</div>
<h3>
<a id="audit-event-attributes-deprecated-formats"></a>Audit event attributes for the deprecated formats<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/event-types.asciidoc">edit</a>
</h3>
<p>The following table shows the common attributes that can be associated with
every event, when it is output to the <code class="literal">&lt;clustername&gt;_access.log</code> file.</p>
<div class="table">
<p class="title"><strong>Table 70. Common attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Common attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">@timestamp</code></p></td>
<td align="left" valign="top"><p>When the event occurred.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">node_name</code></p></td>
<td align="left" valign="top"><p>The name of the node.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">node_host_name</code></p></td>
<td align="left" valign="top"><p>The hostname of the node.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">node_host_address</code></p></td>
<td align="left" valign="top"><p>The IP address of the node.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">layer</code></p></td>
<td align="left" valign="top"><p>The layer from which this event originated: <code class="literal">rest</code>, <code class="literal">transport</code> or <code class="literal">ip_filter</code></p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">event_type</code></p></td>
<td align="left" valign="top"><p>The type of event that occurred: <code class="literal">anonymous_access_denied</code>,
                        <code class="literal">authentication_failed</code>, <code class="literal">authentication_success</code>,
                        <code class="literal">realm_authentication_failed</code>, <code class="literal">access_denied</code>, <code class="literal">access_granted</code>,
                        <code class="literal">connection_denied</code>, <code class="literal">connection_granted</code>, <code class="literal">tampered_request</code>,
                        <code class="literal">run_as_denied</code>, <code class="literal">run_as_granted</code>.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<p>These are positional attributes, which are printed at the beginning of each log line and
are not adjoined by the attribute name.</p>
<p>The attribute <code class="literal">origin_address</code> is also common to every audit event. It is always
named, that is, it is not positional. It denotes the source IP address of the
request associated with this event. This might be the address of the client, the
address of another cluster node, or the local node’s bound address (if the request
originated locally). Unless the client connects directly to the cluster, the
<em>client  address</em> is the address of the first OSI layer 3 proxy in front of the
cluster.</p>
<p>In addition, every event might have the <code class="literal">opaque_id</code> attribute, with the value as
it has been passed in by the <code class="literal">X-Opaque-Id</code> HTTP request header. This header can
be used freely by the client to mark API calls, as it has no semantics in
Elasticsearch. Every audit event, generated as part of handling a request thus
marked, contains the <code class="literal">opaque_id</code> attribute.</p>
<p>The following tables show the attributes that can are associated with each type
of event, in addition to the common ones previously described:</p>
<div class="table">
<p class="title"><strong>Table 71. REST anonymous_access_denied attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="REST anonymous_access_denied attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">uri</code></p></td>
<td align="left" valign="top"><p>The REST endpoint URI.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request_body</code></p></td>
<td align="left" valign="top"><p>The body of the request, if enabled.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 72. REST authentication_success attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="REST authentication_success attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>effective</em> (impersonated) username. Usually this is
                         the same as the <em>authenticated</em> username.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (impersonator) username.
                         This attribute is present only if the request is
                         using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>.
                         Otherwise, the <em>effective</em> user is the same as the
                         <em>authenticated</em> one, which is indicated by the <code class="literal">principal</code>
                         attribute.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm that authenticated the user.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">uri</code></p></td>
<td align="left" valign="top"><p>The REST endpoint URI.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">params</code></p></td>
<td align="left" valign="top"><p>The REST URI query parameters.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request_body</code></p></td>
<td align="left" valign="top"><p>The body of the request, if enabled.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 73. REST authentication_failed attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="REST authentication_failed attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The principal (username) that failed authentication.
                         If the request’s authentication token is invalid, this
                         information might be missing.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">uri</code></p></td>
<td align="left" valign="top"><p>The REST endpoint URI.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request_body</code></p></td>
<td align="left" valign="top"><p>The body of the request, if enabled.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 74. REST realm_authentication_failed attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="REST realm_authentication_failed attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm that failed to authenticate the user.
                         <span class="strong strong"><strong>A separate entry is logged for each consulted realm.</strong></span></p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The principal (username) that failed authentication.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">uri</code></p></td>
<td align="left" valign="top"><p>The REST endpoint URI.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request_body</code></p></td>
<td align="left" valign="top"><p>The body of the request, if enabled.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 75. REST tampered_request attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="REST tampered_request attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">uri</code></p></td>
<td align="left" valign="top"><p>The REST endpoint URI.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request_body</code></p></td>
<td align="left" valign="top"><p>The body of the request, if enabled.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 76. Transport anonymous_access_denied attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport anonymous_access_denied attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         pertains to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 77. Transport authentication_success attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport authentication_success attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>effective</em> (impersonated) username. Usually this is
                         the same as the <em>authenticated</em> username.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (impersonator) username.
                         This attribute is present only if the request is
                         using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>.
                         Otherwise, the <em>effective</em> and the <em>authenticated</em>
                         users are equivalent and are indicated by the
                         <code class="literal">principal</code> attribute.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm that authenticated the user.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         pertains to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 78. Transport authentication_failed attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport authentication_failed attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>effective</em> (impersonated) username. Usually this is
                         the same as the <em>authenticated</em> username. If the
                         request’s authentication token is invalid, this
                         information might be missing.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (impersonator) username.
                         This attribute is present only if the request is
                         using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>.
                         Otherwise, the <em>effective</em> and the <em>authenticated</em>
                         users are equivalent and are indicated by the
                         <code class="literal">principal</code> attribute.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         pertains to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 79. Transport realm_authentication_failed attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport realm_authentication_failed attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm that failed to authenticate the user.
                         <span class="strong strong"><strong>A separate entry is logged for each consulted realm.</strong></span></p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The principal (username) that failed authentication.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         pertains to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 80. Transport access_granted attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport access_granted attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>effective</em> (impersonated) username for which
                         authorization succeeded. Unless the request is using
                         the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>,
                         the <em>effective</em> and <em>authenticated</em> usernames are equivalent.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm name that <code class="literal">principal</code> belongs to.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (impersonator) username.
                         This attribute is present only if the request is
                         using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>.
                         Otherwise, the <em>effective</em> and the <em>authenticated</em>
                         usernames are equivalent and are indicated by the
                         <code class="literal">principal</code> attribute.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_realm</code></p></td>
<td align="left" valign="top"><p>The realm name that <code class="literal">run_by_principal</code> belongs to
                         (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">roles</code></p></td>
<td align="left" valign="top"><p>The set of roles granting permissions.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         pertains to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 81. Transport access_denied attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport access_denied attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>effective</em> (impersonated) username for which
                         authorization failed. Unless the request is using
                         the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>,
                         the <em>effective</em> and the <em>authenticated</em> usernames are
                         equivalent.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm name that <code class="literal">principal</code> belongs to.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (impersonator) username.
                         This attribute is present only if the request is
                         using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>.
                         Otherwise, the <em>effective</em> and the <em>authenticated</em>
                         usernames are equivalent and are indicated by the
                         <code class="literal">principal</code> attribute.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_realm</code></p></td>
<td align="left" valign="top"><p>The realm name that <code class="literal">run_by_principal</code> belongs to
                         (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">roles</code></p></td>
<td align="left" valign="top"><p>The set of roles granting permissions.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         relates to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 82. Transport run_as_granted attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport run_as_granted attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (<em>impersonator</em>) username for which
                         the impersonation operation was granted.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm name that the <em>authenticated</em> user belongs to.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_as_principal</code></p></td>
<td align="left" valign="top"><p>The <em>impersonated</em> username.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_as_realm</code></p></td>
<td align="left" valign="top"><p>The realm name that the <em>impersonated</em> username belongs to.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">roles</code></p></td>
<td align="left" valign="top"><p>The set of roles granting permissions.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         relates to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 83. Transport run_as_denied attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport run_as_denied attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (<em>impersonator</em>) username for which
                         the impersonation operation was denied.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">realm</code></p></td>
<td align="left" valign="top"><p>The realm name that the <em>authenticated</em> user belongs to.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_as_principal</code></p></td>
<td align="left" valign="top"><p>The <em>impersonated</em> username.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_as_realm</code></p></td>
<td align="left" valign="top"><p>The realm name that the <em>impersonated</em> username belongs to.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">roles</code></p></td>
<td align="left" valign="top"><p>The set of roles granting permissions.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         relates to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 84. Transport tampered_request attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Transport tampered_request attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">origin_type</code></p></td>
<td align="left" valign="top"><p>Where the request originated: <code class="literal">rest</code> (request
                         originated from a REST API request), <code class="literal">transport</code>
                         (request was received on the transport channel), or
                         <code class="literal">local_node</code> (the local node issued the request).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">principal</code></p></td>
<td align="left" valign="top"><p>The <em>effective</em> (impersonated) username. Unless the request
                         is using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>,
                         the <em>effective</em> and the <em>authenticated</em> usernames are
                         equivalent. If the requests’s authentication token is
                         invalid, this information might be missing.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">run_by_principal</code></p></td>
<td align="left" valign="top"><p>The <em>authenticated</em> (impersonator) username.
                         This attribute is present only if the request is
                         using the <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">run as authorization functionality</a>.
                         Otherwise, the <em>effective</em> and the <em>authenticated</em> usernames
                         are equivalent and are indicated by the <code class="literal">principal</code> attribute.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">action</code></p></td>
<td align="left" valign="top"><p>The name of the action that was executed.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">indices</code></p></td>
<td align="left" valign="top"><p>A comma-separated list of indices this request
                         pertains to (when applicable).</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request</code></p></td>
<td align="left" valign="top"><p>The type of request that was executed.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 85. IP filter connection_granted attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="IP filter connection_granted attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">transport_profile</code></p></td>
<td align="left" valign="top"><p>The transport profile the request targeted.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">rule</code></p></td>
<td align="left" valign="top"><p>The <a class="xref" href="ip-filtering.html" title="Restricting connections with IP filtering">IP filtering</a> rule that granted
                        the request.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="table">
<p class="title"><strong>Table 86. IP filter connection_denied attributes</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="IP filter connection_denied attributes">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Attribute</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">transport_profile</code></p></td>
<td align="left" valign="top"><p>The transport profile the request targeted.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">rule</code></p></td>
<td align="left" valign="top"><p>The <a class="xref" href="ip-filtering.html" title="Restricting connections with IP filtering">IP filtering</a> rule that denied
                        the request.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="enable-audit-logging.html">« Enabling audit logging</a>
</span>
<span class="next">
<a href="audit-log-output.html">Logfile audit output »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>